BLACKBAUD DATA SECURITY INCIDENT STATEMENT
Blackbaud, Inc. is a vendor that provides a variety of specialized customer relationship management products to university and nonprofits including many in North Dakota. They recently reported they discovered and addressed a cybersecurity incident that affected many of their customers, including the Valley City State University Foundation. This incident may have given a third party access to certain Blackbaud client information.
Please be assured that we do NOT store bank account or credit and debit card information, and, therefore, none of this information was part of the incident. Blackbaud has confirmed that th investigation found that no encrypted information, such as Social Security numbers or passwords, was accessible.
Blackbaud has engaged third party forensic experts to actively monitor the possible use of this information and to notify individuals upon detection of misuse. No misuse has been reported and we do not believe there is a need for you to take any action at this time. As a best practice, we recommend that you remain vigilant and promptly report to the proper law enforcement authorities any suspicious activity or suspected identity theft. While we do not believe that this incident is reasonably likely to subject affected individuals to a risk of harm, we are providing this notice in an abundance of caution and transparency.
We sincerely apologize for this security incident of our vendor. The Valley City State University Foundation understands the tremendous responsibility we have to protect the data we hold. Though this occurred with a third party, we are actively and thoroughly reviewing the incident.
We take data protection very seriously and deeply value our continued relationship with Valley City State’s dedicated alumni and friends. We remain fully committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We sincerely regret any inconvenience this incident may cause.
Should you have any further questions or concerns regarding this matter, please do not hesitate to contact us at foundation.privacy@vcsu.edu or by calling 701.845.7203.
WHAT HAPPENED?
We were recently notified by one of our vendors, Blackbaud Inc., of a security incident in which Blackbaud experienced a ransomware attack. However, prior to being locked out, the cybercriminals removed backup files from Blackbaud’s platform, which hosted data for numerous colleges, universities, health care organizations, foundations, and other non-profit organizations around the world, including the VCSU Foundation. Blackbaud believes the incident occurred between February and May 2020. Blackbaud discovered the incident in May, conducted an investigation, and notified the Foundation on July 16, 2020.
WHAT INFORMATION WAS INVOLVED?
After a careful review, we have determined that the information removed by the threat actor may have contained some information, which included the name, address and/or date of birth of some VCSU stakeholders. Please be assured that we do NOT store bank account or credit and debit card information, and, therefore, none of this information was part of the incident. Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers or passwords, was accessible. Also, Blackbaud worked with law enforcement and third-party experts and informed us that they paid the threat actor.
RISK AND CONTINUED MITIGATION
At this time, based on the information we have received from Blackbaud, we have no reason to believe that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity. Unfortunately, these ransomware attacks are becoming more and more common. As a best practice in today’s world of cybercrime, we recommend that everyone remain vigilant and report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
What steps has the Valley City State University Foundation taken in response?
We immediately launched our own investigation and have taken the following steps:
- We are notifying all affected individuals to make them aware of this incident of Blackbaud’s systems so they can remain vigilant.
- We assessed the exact impact of the incident on our data and notified affected individuals directly to comply with state-by-state legal obligations.
- We are working with Blackbaud to understand why there was a delay between it finding the incident and notifying us, as well as what specific actions Blackbaud is taking to increase its security.
- We are evaluating the scope of our relationship with Blackbaud going forward.